Wednesday, February 24, 2016

Should Apple give the FBI access to all our iPhones?

Considering how public opinion can sway important legal matters, there is perhaps nothing more perilous than irresponsible journalism. Unfortunately, in an age where click-bait is the name of the game, reporters unfamiliar with their subject matter often spread misinformation. This, sadly, is especially true for information technology.

You may have recently heard from various news sources that Apple previously ‘unlocked’ iPhones for the FBI (Federal Bureau of Investigation) ‘70 times’. Some even claimed that Apple is refusing to do so now as part of a marketing strategy. This has also been gleefully echoed by the FBI itself.

Some of the sources aping the news include:

NPR: “The fact that Apple unlocked roughly 70 phones in previous cases was revealed during a court hearing last October.”

(NPR later issued a half-hearted correction)

The Daily Beast: “And according to prosecutors in that case, Apple has unlocked phones for authorities at least 70 times since 2008.”

(Apple doesn’t dispute this figure.)

In other words, Apple’s stance in the San Bernardino case may not be quite the principled defence that Cook claims it is. In fact, it may have as much to do with public relations as it does with warding off what Cook called ‘an unprecedented step which threatens the security of our customers’.

ZeroHedge: “Is It All Just A Publicity Stunt: Apple Unlocked iPhones For The Feds 70 Times Before.”

It’s just too bad that they are dead wrong. The technical mistake they made reveals a lack of understanding as far as the finer points of the case are concerned.

In the aftermath of the incident there were more questions than answers.

After a storm of media speculation, the FBI clarified that the pair had no official link with any terror groups, and may have only been inspired by online extremist propaganda, as evident from the private messages they exchanged. What’s more, contrary to earlier reports, Malik did not pledge allegiance to ISIS.

Perhaps many more answers were locked away in Farook’s iPhone 5c.

Or perhaps not.

So far, the FBI hasn’t been completely successful in its attempts to extract information from the iPhone in question. The data secured by the law enforcement agencies was from the iCloud, and the last date on which Farook’s device backed up information to this service was on the 19th of October.

This, of course, leaves a tantalising gap of a few weeks until the shooting.

The FBI now wants Apple’s help in breaching Farook’s iPhone.

Apple has disagreed.

In an open letter to his customers, CEO Tim Cook explained the company’s stance,

“We were shocked and outraged by the deadly act of terrorism in San Bernardino last December. We mourn the loss of life and want justice for all those whose lives were affected. The FBI asked us for help in the days following the attack, and we have worked hard to support the government’s efforts to solve this horrible crime. We have no sympathy for terrorists.

When the FBI has requested data that’s in our possession, we have provided it. Apple complies with valid subpoenas and search warrants, as we have in the San Bernardino case. We have also made Apple engineers available to advise the FBI, and we’ve offered our best ideas on a number of investigative options at their disposal.

We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the US government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”

A recent PEW survey says more people side with the Justice Department than Apple. 51% believe the iPhone should be unlocked while 38% say it should not. This is likely because such people believe the hack would only be limited to one iPhone.

That’s not the case.

As Matthew Panzarino explains in an excellent piece for Tech Crunch, Apple never unlocked 70 iPhones for the government. The devices Apple was able to extract data from for the government, were still locked because they were running iOS version 7 or earlier.

The newer version of the iOS, such as the iOS 9 found on Farook’s iPhone, features more secure encryption. Yes, the sort of encryption designed to protect your credit card data.

TechCrunch: “So Apple is unable to extract any data including iMessages from the device because all of that data is encrypted. This is the only reason that the FBI now wants Apple to weaken its security so that it can brute-force the passcode. Because the data cannot be read unless the passcode is entered properly.

If, however, you assume that these stories are correct and that Apple has complied with requests to unlock iPhone passcodes before and is just refusing to do so now, it could appear that a precedent has already been set. That is not the case at all, and in fact that is why Apple is fighting the order so hard — to avoid such a precedent from being set.”

So, what’s the big deal?

Why can’t Apple build a backdoor into the latest iPhone OS?

Well, it’s because Apple wouldn’t just be building a security hole into Farook’s iPhone, but potentially everyone’s iPhone.

TechCrunch: “If the FBI succeeds in ordering Apple to comply in California, it would have to build a new software version of iOS that allowed electronic brute-force password cracking. This is an important distinction to make when talking about such an important precedent-setting case.”

The FBI wants to use the brute force method to hack Farook’s phone, which basically means endlessly guessing the password without the device erasing data after it suspects a hacking attempt. The brute force method is also used by hackers worldwide.

No one disputes the FBI’s right to read Farook’s data. If this was merely about them having a key only to Farook’s locks, it would not have been an issue. But if by weakening one security, the FBI possibly weakens the security of millions, is it worth it? And where does it end?

In 2013 President Obama claimed that since 2001, mass surveillance saved lives at least 50 times on American and foreign soil,

“We know of at least 50 threats that have been averted because of this information not just in the United States, but, in some cases, threats here in Germany.”

As the Electronic Frontier Foundation reports, the claim was debunked several times. In fact, during a congressional exchange, Senator Leahy forced National Security Agency (NSA) Director Alexander to go back on the claim:

“Would you agree that the 54 cases that keep getting cited by the administration were not all plots, and of the 54, only 13 had some nexus to the US.?” Leahy said at the hearing. “Would you agree with that, yes or no?”

“Yes”, Alexander replied, without elaborating.

To make matters worse, according to whistleblower Edward Snowden, NSA employees not only use their powers to spy on love interests, but to conduct corporate espionage.

Encryption doesn’t just protect the average citizen from hackers, but it also shields businessmen from government employees, and dissidents from cruel authoritarian governments. For every bloodthirsty terrorist fighting for ISIS, there is a freedom fighter battling for human rights in The Middle East or Asia. There is a Saudi blogger like Raif Badawi or a Chinese human rights lawyer like Zhou Shifeng.